4359 matches found
User Avatar - Reloaded < 1.2.2 - Contributor+ Stored XSS
Description The plugin does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks. As a Contributor+ create a new post and add one of the following shortcode. avatar user="admin"...
Membership Plugin - Restrict Content < 3.2.3 - Reflected XSS
The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged-in admin open a page containing the HTML code below. "/...
WP ERP < 1.12.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the employeename parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. As an admin user, visit the following URL on the site:...
Ultimate Dashboard < 3.7.6 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Ultimate Dashboard - Settings - General"...
ActiveCampaign < 8.1.12 - Contributor+ Stored XSS
The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks As a contributor, add a "AC Forms" Gutenberg block to a...
Store Locator WordPress < 1.4.9 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. Exploit...
Flowplayer Video Player < 1.0.5 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks As a contributor, put, the following shortcode in a page/post flowplayer src='...
miniOrange's Malware Scanner < 4.5.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup Put the following payload in the...
New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF
The plugin does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes for bypassing the provided restrictions and to change plugin settings by tricking admin users into visiting specially crafted websites. Add code...
Advanced Image Sitemap <= 1.2 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting. https://example.com/wp-admin/options-general.php/%22%3E%3Csvg/onload=alert/xss/%3E?page=ais...
Easy Digital Downloads < 2.11.6 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Downloadable File Name in the Logs, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed Create/edit a Download and put the following payload in the File Name field: Download the...
BulletProof Security < 5.2 - Sensitive Information Disclosure
The plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible /dbbackuplog.txt file which grants attackers the full path of the site, in addition to the path of database backup files...
Responsive 3D Slider <= 1.2 - Authenticated SQL Injection
The Add new scene functionality in the plugin uses an id parameter which is not sanitised, escaped or validated before being inserted to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 secon...
SEOPress 5.0.0 – 5.0.3 - Authenticated Stored Cross-Site Scripting
The plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the /src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts. $wpuser, 'pwd' = $wppass, 'rememberme' = 'forever', 'wp-submit' = 'Log+In', ; $outp...
Cashtomer <= 1.0.0 - Authenticated SQL Injection
An editid GET parameter of the plugin is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. GET /wp-admin/admin.php?page=add-social-point&id=facebookshare&editid=-9677%20UNION%20ALL%20SELECT%20NULL,NULL,user,NULL,NULL-- HTTP/1.1...
WP Offload SES Lite < 1.4.5 - Stored Cross-Site Scripting (XSS)
The plugin did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for exampl...
Welcart e-Commerce < 2.2.4 - Cross-Site Scripting (XSS)
The plugin did not sanitise or validate the orderid parameter before outputting in the page of the admin dashboard, leading to a reflected Cross-Site Scripting issue http://wp.lab/wordpress/wp-admin/admin.php?page=uscesorderlist&orderaction=edit&orderid=1"alert/XSS/...
Google CSE <= 1.0.7 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...
Base64 Encoder/Decoder <= 0.9.2 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open the URL below...
WP Social Bookmark Menu <= 1.2 - Settings Update via CSRF
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. document.forms0.submit;...
Site Notes <= 2.0.0 - Admin Note Deletion via CSRF
Description The plugin does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks Have an administrator open the following HTML file:...
PayHere Payment Gateway < 2.2.12 - Unauthenticated Log Data Disclosure
Description The plugin automatically creates publicly-accessible log files containing sensitive information when transactions occur. https://www.suppliment.lk/wp-content/uploads/payhere-logs/?SD https://www.medic.lk/wp-content/uploads/payhere-logs/?SD...
EventPrime < 3.2.0 - Reflected HTML Injection on keyword parameter
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to an HTML Injection on the plugin in the search area of the website. Insert '"Clickme! on the keyword search field or directly on the link...
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. 1 Navigate to "Newsletters Configuration History & Emails Configuration"...
PowerPress Podcasting < 11.0.12 - Contributor+ Stored XSS
Description The plugin does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin. Add the following payload to the Media URL field:...
Min Max Control < 4.6 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. alert1'...
Short URL < 1.6.5 - Admin+ Cross Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. In the plugin settings, add the POC alert1 to the...
Login/Signup Popup < 2.4 - Settings Reset via CSRF
The plugin does not have CSRF check when reseting its settings, which could allow attackers to make logged in admins perform such action via a CSRF attack Make a logged in admin open https://example.com/wp-admin/admin.php?page=easy-login-woocommerce-settings&reset=yes...
Login Configurator <= 2.1 - Reflected Cross-Site Scripting
The plugin does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators. Visit the following path:...
KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure
The plugin does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users Run the below command in the developer console of the web...
Seo By 10Web < 1.2.7 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Go to SEO by 10Web » Sitemap section. 2. And n...
Site Reviews < 6.7.1 - Admin+ Stored XSS
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Login as Admin. 2. Go to...
NEX-Forms < 8.3.3 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks 1. Add a form 2. Insert the following payloa...
Pricing Tables WordPress Plugin – Easy Pricing Tables < 3.2.3 - Contributor+ Stored XSS via Shortcode
The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. Note: Enable compatibility mode by going to the settings of the plugins. Exploit shortcode: easy-pricing-toggle...
WP Maintenance Mode & Coming Soon < 2.4.5 - Subscribed Users Deletion via CSRF
The plugin is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack document.getElementById"test".submit;...
Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting via Import
The plugin does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. - Make a test form and then export it to your system. - Edit the file and enter an XSS payload like "img src=x...
Filr - Secure Document Library < 1.2.2.1 - Subscriber+ AJAX Calls
The plugin does not have authorisation check in two of its AJAX actions, allowing them to be called by any authenticated users, such as subscriber. They are are protected with a nonce, however the nonce is leaked on the dashboard. This could allow them to upload arbitrary HTML files as well as...
One Click Plugin Updater <= 2.4.14 - Arbitrary Settings Update via CSRF
The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and disable / hide the badge of the available updates and the related check. document.getElementById"test".submit;...
ThirstyAffiliates Affiliate Link Manager < 3.10.5 - Subscriber+ Arbitrary Affiliate Links Creation
The plugin does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website fetch"/wp-admin/admin-ajax.php", "headers":...
Contact Form Advanced Database <= 1.0.8 - Unauthorised AJAX Calls
The plugin does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The deletecf7data would lead to arbitrary metadata deletion, as well ...
Shared Files < 1.6.61 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Download Counter Text settings and tick the Show Downlo...
WordPress Popular Posts < 5.3.3 - Authenticated Stored Cross-Site Scripting (XSS)
The plugin did not properly sanitise or escape its Default Thumbnail setting before outputting back in the page, leading to a stored Cross-Site Scripting issue POST /wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools HTTP/1.1 Accept:...
WP Config File Editor <= 1.7.1 - Authenticated Stored Cross-Site Scripting (XSS)
The WP Config File Editor WordPress plugin was affected by an Authenticated Stored Cross-Site Scripting XSS vulnerability. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesse...
CAS <= 1.0.0 - Unauthenticated Arbitrary File Access
Description This plugin does not validate a path generated with user input when downloading files, allowing unauthenticated user to download arbitrary files from the server https://example.com/wp-content/themes/cas/download.php?path=...
WP Prayer <= 2.0.9 - Arbitrary Prayer Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks Make and admin open a URL where is any valid prayer ID: https://example.com/wp-admin/admin.php?page=wpemanageprayer&doaction=delete&prayer...
Super Socializer < 7.13.64 - Editor+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed When creating a new widget, insert the following payload in the "FaceBook URL" field -...
WPB Show Core < 2.7 - Reflected XSS
Description The plugin does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting Open an HTML file containing the following: alert/XSS/' / var form1 = document.getElementById'hack'; form1.submit...
Pz-LinkCard < 2.5.3 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in the "Class ID to be Added for PC" setting of the plugin...
Widget for Social Page Feeds < 6.4 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Create a new Facebook like widget. ...
Better Follow Button for Jetpack <= 8.0 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. 1. Navigate to:...